The Average Security Budget Increased by 47% in 2019*

Cybersecurity is progressively becoming a more involved and crucial part of the business.

If you've stumbled upon this guide, you're probably already well aware of cybersecurity and its many facets. For security professionals in leadership positions, the idea of implementing and managing a company-wide security program can seem like a daunting responsibility, regardless of your vertical or organization size. Fortunately over the years, we've seen the role of the security leader evolve from a technical position to a more strategic and business-focused one. In order to keep pace with the business and make security a competitive advantage, it’s critical for today's security leaders to align with the business goals and create a culture of shared cyber risk ownership 

What Does a Strategic Security Program Look Like? 

Through the trends we've collected from our 150+ CISO interviews in our quarterly publication, Feats of Strength, and the research gathered from the K logix Internal Research Department, we can conclude that a successful security program includes these components:

Screen Shot 2020-03-18 at 1.14.55 PM


Getting Started: Industry Frameworks and Best Practices 

notable study assessed adoption patterns for widely used security frameworks. The survey was completed by 338 IT and security professionals in the U.S and it reveals that 84% of organizations already leverage some type of security framework. The frameworks most widely used by respondents include:

  1. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) 
    • Used by 29% of organizations, NIST is a voluntary framework intended primarily for critical infrastructure organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices 
    • That being said, the Cybersecurity Framework has proven to be flexible enough to also be applied by non-US and non-critical infrastructure organizations 
  2. Center for Internet Security Critical Security Controls (CIS) 
    • Used by 32% of organizations, the CIS Critical Security Controls are a set of 20 actions designed to mitigate the threat of common cyber attacks 
    • The controls were designed by a group of volunteer experts from a range of fields, including cyber analysts, academics, auditors, and consultants
  3. ISO 27001/27002
    • Used by 35% of organizations, ISO 27001 is the international standard that describes best practice for implementing an ISMS (information security management system) 
    • Achieving accredited certification to ISO 27001 shows that your company is following information security best practice, and delivers an agnostic expert assessment of whether your data is adequately protected   

While the three frameworks listed above are considered some of the most widely used, you might be subject to different and/or additional requirements and compliancy regulations depending on your industry and organization size.  

Security Program Areas: The Basics 

In order to set the foundation for your strategic security program, it's important that you have the basics down. These are the most common security areas/categories: 

  1. Application Security
    • This term describes security measures at the application level that aim to protect critical data from external threats by ensuring the security of all of the software used to run the business. This area of security helps identify, fix and prevent security vulnerabilities in any kind of software application. Types of Application Security activities include: authentication, authorization, encryption, and logging. 
  2. Assessments
    • Security assessments and audits are crucial to the success of a security program. These studies work to explicitly locate IT vulnerabilities and risks within an organization’s system and infrastructure. They identify vulnerabilities, such as faulty firewall, lack of system updates, malware, or other risks that can impact their function and performance.
    • Types of Assessments include: Penetration Testing, Vulnerability Assessments, Audits, Risk Assessments, Threat Assessments, Red Team Assessments, White/Grey/Black-Box Assessments, and more 
  3. Cloud Security
    • Simply put, cloud security involves the procedures and technology that secure cloud computing environments against both external and insider cybersecurity threats. Based on your deployment model, you can classify your cloud as public, private, or hybrid (a combination of both public and private).  
    • There are three different types of cloud computing: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). The latter is the most common cloud service, offering data storage and virtual servers.  
  4. Cyber Threat Intelligence
    • According to Gartner, "threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard." Threat intelligence is often broken up into four subcategories:  
      • Strategic: intelligence explains threats for a non-technical audience (stakeholders include C-level executives and board members) 
      • Tactical: intelligence describes threat conditions for technical audiences (stakeholders include SOC analysts, SIEM, and Endpoints) 
      • Operational: intelligence details hacker information and intent (stakeholders include Threat Hunters, SOC Analysts, and employees in charge of Incident Response) 
    • From top to bottom, threat intelligence offers unique advantages to every member of a security team. This intel benefits organizations of all shapes and sizes by helping them to better understand their attackers, respond faster to incidents, and proactively get ahead of an adversary’s next move.  
  5. Email Security
    • Email security refers to the collective measures used to secure the access and content of an email account or service. It allows an individual or organization to protect the overall access to their email addresses and accounts. From an individual/end user standpoint, proactive email security measures include strong passwords, password rotations, spam filters, and desktop-based anti-virus applications. 
  6. Endpoint Security
    • Endpoint security systems defend and protect computers and other devices from cybersecurity threats, whether that be on your network or in the cloud. An endpoint refers to any remote computing device that communicates back and forth with a network. Examples include smartphones, desktops, tablets, laptops, and servers.    
  7. GRC (Governance, Risk, and Compliance)
    • GRC is often described as a collection of capabilities that enable an organization to reliably achieve their objectives, act with integrity, and address uncertainties. This relatively new corporate management system integrates governance, risk, and compliance into the processes of every department within an organization. This system was intended to correct the "silo mentality" that leads departments inside of an organization to hoard information and/or resources.  
  8. Identity and Access Management (IAM)
    • IAM is the process of defining and managing the roles and access privileges of individual network users and the circumstances in which users are granted (or denied) those privileges. Those users could be either customers or employees. Identity management systems are available for both on-premises and cloud-based systems. 
  9. Internet of Things (IoT) Security
    • IoT involves adding internet connectivity to a system of interrelated computing devices, mechanical and digital machines, objects, animals and/or people. Each "thing" is provided a unique identifier and the ability to automatically transfer data over a network. Allowing devices to connect to the internet opens them up to a number of serious vulnerabilities if they are not properly protected. 
  10. Security Awareness and Training
    • Security awareness training is a formally documented process used to educate employees on computer security and IT protection. The goal of a security awareness program is to increase both organizational understanding and practical implementation of security best practices. The programs themselves are important, but it's just as important for employees to be held responsible and that steps are taken to gauge how effective your organization's processes are. 

For more information on these security categories and the technologies available to you, reference our downloadable guide on the Cluttered Security Marketspace.


While every organization and vertical has its own specific set of challenges, security professionals generally agree on the top challenges they face while running a strategic security program. Based on the research we've collected in our Feats of Strength magazine and through our Cyber Security Business Podcast, here are the top 5 challenges that security faces: 

A successful security program takes a strategic approach to these challenges and implements innovative and creative tactics in an attempt to address them.  


In addition to the challenges a security leader faces, they also take into account the trending topics of the industry and when necessary and appropriate, apply them to their overall security strategy. Our research identified the top cybersecurity trends of 2020 and beyond: 

  • Artificial Intelligence
    • CISOs believe AI is moving beyond a buzzword. Many are actively researching and investing in AI technologies they believe will help their security programs. According to the trends we collected in our March issue of Feats of Strength, AI is the third most popular area in which CISOs are investing in this year.
  • Automation and Orchestration
    • CISOs are looking to invest in automation technologies that work to free up time and resources for their security people, so they can instead focus on strategic and high-value opportunities. As an example, information security is moving into other parts of information security, namely the DevSecOps space.
  • Clearing the Clutter 
    • There's no denying that the marketspace is saturated with security products and vendors, but how do you filter through the clutter and decide on the solutions that are best for your organization? We asked leading CISOs to weigh in on this topic.
  • Cloud Migration
    • According to our profile with Michael Charland, Global ISO at Hartford Steam Boiler, he believes "although many organizations have already begun moving to the cloud, they often have not taken time to provide training to their IT and/or security teams on the differences of how to manage security for cloud. There are many changes in how we manage security in the cloud based on whether the solution is SaaS, IaaS, or PaaS. When moving to cloud, we need to make sure that compliance is in place for our cloud configurations. Automation must be used as much as possible and...we need to understand and automate processes with policy and automation in place prior to moving to new technologies."
  • Privacy Regulations
    • When asked about the top challenges that force CISOs to redirect their time and focus away from strategic tasks, privacy regulations were among the top. These shifts and developments in regulations constantly redirect security team's time. With regulations like GDPR and CCPA to focus on, CISOs are forced to spend more time interacting with their legal and compliance teams.
  • Security Culture/Awareness
    • Behind a focus on cloud, increasing security awareness is the top goal for CISOs this year. They agree that in order to do this, they have to spend budget on building a stronger security culture within their organizations. CISOs are becoming increasingly more innovative with their attempts to embed security into the fabric of their companies.
  • Shift Left Security
    • Shift Left was mentioned by 54% of the CISOs we spoke with at the RSA Conference this year. They discussed the term in the context of improving quality by moving tasks to the ‘left’ as early in the technology lifecycle as possible, so you spend less time, energy, and resources on dealing with security issues. 
  • Zero Trust Models
    • Much like AI, Zero Trust Models are moving beyond a buzzword. In the Zero Trust model, no one and nothing is granted access until it has been verified. Zero Trust makes up for the dangers created by interconnection in the cloud, and as highly-connected cloud-based environments and threat landscapes continue to emerge and expand, the need for Zero Trust-based strategies is apparent now more than ever.

Read more about the trends we collected at the RSA conference in 2020.  

Personal Development and Staying Current 

Out of all the CISOs we've profiled, every single leader has cited personal development as a priority of theirs. In order to be strategic, make security a competitive advantage, and align with the business, it's crucial to make sure you're staying on top of the latest communication channels. Here are a few ways to stay current: 

At the end of the day, security isn't just an issue for the Security Department, it's a priority for the organization as a whole. In an attempt to create a culture of shared cyber risk ownership, your program must be strategic and business-focused. By focusing on the five components listed above, you set your organization up for success and create a foundational backbone for your security program.